Since CBC-MAC is insecure for variable-length messages if nothing is done to handle them, I'm wondering how it can be used with variable-length messages.

Rogaway's critique of CCM indicates that it is not an online mode of operation (the length must be known ahead of time for CCM). So, can it be altered/modified to be online? Like by perhaps appending the length of the message as the last block?

1 Answer
1

Q1: Since CBC-MAC is insecure for variable-length messages if nothing is done to handle them, I'm wondering how it can be used with variable-length messages.

CCM simply uses a packet format which simply includes the message size in the first block of data, see SP 80038C, to be precise section A.2.1: Formatting of the Control Information and the Nonce.

Unfortunately, including the length in the first block is what destroys most of the online capabilities. Furthermore, the packet construction is rather obnoxious, with a lot of bit fiddling and dependencies between different methods of length encoding, and so forth.

Q2: Rogaway's critique of CCM indicates that it is not an online mode of operation (the length must be known ahead of time for CCM). So, can it be altered/modified to be online? Like by perhaps appending the length of the message as the last block?

Yes, it can be modified, but this is already done for you: it is called CMAC, usually prefixed by the cipher it was created for: AES-CMAC, particularly because it was designed for a block cipher with a block size of 128 bit:

The core of AES-CMAC is the basic CBC-MAC. For a message, M, to be
authenticated, the CBC-MAC is applied to M.

CMAC consists of CBC-MAC with a pre- and post-processing added to it, particularly to avoid length extension attacks. It is possible to use AES-CBC and perform the pre- and post-processing yourself, which makes it a drop-in replacement for CBC-MAC even if CBC-MAC is accelerated.

There is a proposed AEAD cipher that replaces CCM as well, called EAX mode, which uses AES-CMAC to calculate the authentication tag. It was never standardized by NIST (and probably won't be, if you look at the time it has been a proposed mode) but it is a more flexible replacement of CCM.

Like CCM it only relies on the block cipher as underlying primitive but it is much more flexible and easier to handle as it doesn't require you to create "packets" like CCM mode does. Instead, everything is "online", with the disadvantage that it is - like CMAC - slower because of the pre- and post-processing required.

Both CCM and EAX mode are "two pass" AEAD ciphers, which means that all the data needs to be processed twice by the block cipher. There are modes of operation that can be faster: the single pass - but patented - OCB mode and the so called one-and-a-half pass GCM mode. Especially when accelerated (on newer Intel / AMD processors for instance) GCM mode will be faster than CCM or EAX mode, while only being slightly less flexible/online/foolproof compared to EAX mode.

The AES-CMAC RFC I've linked to is particularly based on XCBC MAC which was created by Philip Rogaway while EAX mode was specified here, which is co-authored by him. So he didn't just criticize fortunately, he did help to improve the situation as well.

$\begingroup$I think there were a few more, but that's good to know. Let's see if anybody picks it up, or that people move to newer single pass schemes like Keyak (based on Keccak, a.k.a. SHA-3).$\endgroup$
– Maarten Bodewes♦Nov 16 '17 at 22:23